cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
846
Views
0
Helpful
8
Replies

VPN between Cisco Router (IOS) and FTD

Bobojon Boboev
Level 1
Level 1

it is possible VPN between Router IOS and FTD becous i config VPN it is not work. Phasser 1 not up when i see ikev1 details show me that policies don't match

> show crypto ikev1 sa detail

IKEv1 SAs:

Active SA: 1
Rekey SA: 0 (A tunnel will report 1 Active and 1 Rekey SA during rekey)
Total IKE SA: 1

1 IKE Peer: 85.9.128.25
Type : user Role : initiator
Rekey : no State : MM_WAIT_MSG2
Encrypt : aes-256 Hash : SHA
Auth : preshared Lifetime: 0
ivrf :

 

then i add all possible policy but steel not work command > show crypto ikev1 sa detail show me nothings


> show crypto ikev1 sa detail

There are no IKEv1 SAs
>
>

 

 

8 Replies 8

balaji.bandi
Hall of Fame
Hall of Fame

how are you managing FTD ? what Version of FTD ?

MM_WAIT_MSG2  - means below reason :

1. check any FW between these device to comminication.

2. make sure both the side phase 1 configuration is same.

3. check UDP 500 is reachable (also cehck any of the device behind NAT ?)

Run debug both the side.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Bobojon Boboev
Level 1
Level 1

my FTD version is 7.2.4

there is a connection between the equipment i see remote public ip with ping

both the side phase 1 configuration is same.

but bebug show that the policy in phase1 is not the same

500 udp is available and i don't have NAT devices in front of the FTD

A very strange situation

 

You need to post the config or refer below guide : give you some direction (how is FTD managed by FDM or FMC ?)

https://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios/218432-configure-a-site-to-site-ipsec-ikev1-tun.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Can I see the config of both?

Sha I think is not support from ftd your need to change it to sha128 or more.

MHM

Bobojon Boboev
Level 1
Level 1

managed by FMC 

here is my config

crypto ikev1 enable P2P-ASR
crypto ikev1 am-disable
crypto ikev1 policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400

crypto ipsec ikev1 transform-set CSM_TS_1 esp-aes-256 esp-sha-hmac

access-list CSM_IPSEC_ACL_71 extended permit ip host 172.16.16.31 host 172.28.198.120

crypto map CSM_P2P-ASR_map 30 match address CSM_IPSEC_ACL_71
crypto map CSM_P2P-ASR_map 30 set peer 85.9.128.25
crypto map CSM_P2P-ASR_map 30 set ikev1 transform-set CSM_TS_1
crypto map CSM_P2P-ASR_map 30 set security-association lifetime seconds 3600
crypto map CSM_P2P-ASR_map 30 set reverse-route

nat (LAN,P2P-ASR) source static 192.168.40.82 31 host 172.16.16.31 destination static 172.28.198.120 172.28.198.120

on NAT i hide my address (192.168.40.82) behind 172.16.16.31

on remote side unforchunatly i can't give all configuration can show basic config

crypto isakmp policy 5
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption aes
hash sha
group 5
lifetime 86400
crypto isakmp policy 20
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 30
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400
crypto isakmp policy 40
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 28800
crypto isakmp policy 50
authentication pre-share
encryption 3des
hash md5
group 5
lifetime 86400
crypto isakmp policy 60
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 7200
crypto isakmp policy 70
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 3600
crypto isakmp policy 80
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 28800
crypto isakmp policy 100
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 28800
crypto isakmp policy 110
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 84000
crypto isakmp policy 120
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 3600

at least the first phase should work 

As I mention the sha and also group 2'5 not more support by ftd.

You need to change them.

MHM

check the release notes from FT 6.7 DH have changed - 

Version 6.7.0 Deprecated Features

i suggest to use DH 15 or higher :

https://www.cisco.com/c/en/us/td/docs/security/firepower/670/relnotes/firepower-release-notes-670/m_features_functionality.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Bobojon Boboev
Level 1
Level 1

how not support they are present in configurations